Amendments to the Claims 



This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

Listing of Claims: 

1 1 . (Previously Presented) A method of proving membership in a nested group, 

2 wherein a presenter of credentials that requests one or more resources to which 

3 access is so controlled by a recipient of credentials so as to make them available to 

4 members of the nested group presents to the recipient of credentials one or more 

5 chains of group credentials that prove the presenter's membership in the nested 

6 group. 

1 2. (Original) The method of claim 1 , wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 

1 3. (Original) The method of claim 2, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 4. (Original) The method of claim 2, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 5. (Original) The method of claim 1 , wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membership. 

1 6. (Original) The method of claim 5, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 7. (Original) The method of claim 5, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 8. (Original) The method of claim 1 , wherein said recipient is a resource server. 



2 



1 9. (Original) The method of claim 1 , wherein said recipient is an on-line group 

2 server. 

1 10. (Original) The method of claim 1 , wherein said recipient is an on-line revocation 

2 server. . 

1 11. (Original) The method of claim 1 , wherein said recipient is a client. 

1 12. (Previously Presented) A method of proving non-membership in a nested group, 

2 wherein a presenter of credentials that requests one or more resources to which access 

3 is so controlled by a recipient of credentials so as to make them available to non- 

4 members of the nested group presents to the recipient of credentials one or more 

5 chains of group credentials that prove the presenter's non-membership in the nested 

6 group. 

1 13. (Original) The method of claim 12, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 14. (Original) The method of claim 13, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 15. (Original) The method of claim 13, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 16. (Original) The method of claim 12, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 17. (Original) The method of claim 16, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 18. (Original) The method of claim 16, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 
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' 1 19. (Original) The method of claim 12, wherein said recipient is a resource server. 

1 20. (Original) The method of claim 12, wherein said recipient is an on-line group 

2 server. 

1 21 . (Original) The method of claim 12, wherein said recipient is an on-line revocation 

2 server. 

1 22. (Original) The method of claim 12, wherein said recipient is a client. 

1 23. (Previously Presented) A computer system wherein a presenter of credentials 

2 that requests one or more resources to which access is so controlled by a recipient of 

' 3 credentials so as to make them available to members of a nested group presents to the 

4 recipient of credentials one or more chains of group credentials to prove the presenter's 

5 membership in the nested group. 

1 24. (Original) The system of claim 23, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 25. (Original) The system of claim 24, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 26. (Original) The system of claim 24, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 27. (Original) The system of claim 23, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 28. (Original) The system of claim 27, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 
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1 29. (Original) The system of claim 27, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 30. (Original) The system of claim 23, wherein said recipient is a resource server. 

1 31 . (Original) The system of claim 23, wherein said recipient is an on-line group 

2 server. 

1 32. (Original) The system of claim 23, wherein said recipient is an on-line revocation 

2 server. 

1 33. (Original) The system of claim 23, wherein said recipient is a client. 

1 34. (Previously Presented) A computer system wherein a presenter of credentials 

2 that requests one or more resources to which access is so controlled by a recipient of 

3 credentials so as to make them available to non-members of a nested group presents to 

4 the recipient of credentials one or more chains of group credentials to prove the 

5 presenter's non-membership in the nested group. 

1 35. (Original) The system of claim 34, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 36. (Original) The system of claim 35, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 37. (Original) The system of claim 35, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 38. (Original) The system of claim 34, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 39. (Original) The system of claim 38, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 
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1 40. (Original) The system of claim 38, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 41 . (Original) The system of claim 34, wherein said recipient is a resource server. 

1 42. (Original) The system of claim 34, wherein said recipient is an on-line group 

2 server. 

1 43. (Original) The system of claim 34, wherein said recipient is an on-line revocation 

2 server. 

1 44. (Original) The system of claim 34, wherein said recipient is a client. 

1 45. (Previously Presented) A method of requesting one or more resources from a 

2 server on a computer network, in which access to said resources is so controlled by 

3 said server so as to make them available to members of a nested group, the method 

4 comprising: 

5 A. obtaining one or more chains of group credentials that prove membership 

6 in the nested group, and 

7 B. transmitting to the server a request for one or more of the one or more 

8 resources, said request including the one or more chains of group credentials that prove 

9 membership in the nested group. 

1 46. (Original) The method of claim 45, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 47. (Original) The method of claim 46, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 48. (Original) The method of claim 46, wherein said proofs of group membership 

2 comprise one or more group membership lists. 
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1 49. (Original) The method of claim 45, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 50. (Original) The method of claim 49, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 51 . (Original) The method of claim 49, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 52. (Previously Presented) A method of requesting one or more resources from a 

2 server on a computer network, in which access to said resources is so controlled by 

3 said server so as to make them available to non-members of a nested group, the 

4 method comprising: 

5 A. obtaining one or more chains of group credentials that prove non- 

6 membership in the nested group, and 

7 B. transmitting to the server a request for one or more of the one or more 

8 resources, said request including the one or more chains of group credentials that prove 

9 non-membership in the nested group. 

1 53. (Original) The method of claim 52, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 54. (Original) The method of claim 53, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 55. (Original) The method of claim 53, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 56. (Original) The method of claim 52, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 
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1 57. (Original) The method of claim 56, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 58. (Original) The method of claim 56, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 59. (Previously Presented) A client device on a computer network, said client device 

2 configured for requesting one or more resources from a server on the network, in which 

3 access to said resources is so controlled by said server so as to make them available to 

4 members of a nested group, said client device comprising: 

5 A. means for obtaining one or more chains of group credentials that prove 

6 client membership in the nested group, and 

7 B. means for transmitting to the server a request for one or more of the 

8 service one or more of the one or more resources, said request including the one or 

9 more chains of group credentials that prove client membership in the nested group. 

1 60. (Original) The client device of claim 59, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 61 . (Original) The client device of claim 60, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 62. (Original) The client device of claim 60, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 63. (Original) The client device of claim 59, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 64. (Original) The client device of claim 63, wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 
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1 65. (Original) The client device of claim 63, wherein said proofs of group 

2 nonmembership comprise one or more group membership lists. 

1 66. (Previously Presented) A client device on a computer network, said client device 

2 configured for requesting one or more resources from a server on the network, in which 

3 access to said resources is so controlled by said server so as to make them available to 

4 non-members of a nested group, said client device comprising: 

5 A. means for obtaining one or more chains of group credentials that prove 

6 client non-membership in the nested group, and 

7 B. means for transmitting to the server a request for one or more of the one 

8 or more resources, said request including the one or more chains of group credentials 

9 that prove client non-membership in the nested group. 

1 67. (Original) The client device of claim 66, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 68. (Original) The client device of claim 67, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 69. (Original) The client device of claim 67, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 70. (Original) The client device of claim 66, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 71 . (Original) The client device of claim 70, wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 

1 72. (Original) The client device of claim 70, wherein said proofs of group 

2 nonmembership comprise one or more group membership lists. 
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1 73. (Previously Presented) A method for operating a resource server on a computer 

2 network, said resource server configured to control access to one or more resources 

3 and provide access thereto to members of a nested group, the method comprising: 

4 A. receiving a resource-access request from a client, said request including 

5 one or more chains of group credentials proving client membership in the nested group, 

6 B. validating the one or more chains of group credentials, and 

7 C. if the one or more chains of group credentials are determined to be valid, 

8 providing the requested access to the client. 

1 74. (Original) The method of claim 73, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 75. (Original) The method of claim 74, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 76. (Original) The method of claim 74, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 77. (Original) The method of claim 73, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 78. (Original) The method of claim 77, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 79. (Original) The method of claim 77, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 80. (Previously Presented) A method for operating a resource server on a computer 

2 network, said resource server configured to control access to one or more resources 

3 and provide access thereto to non-members of a nested group, the method comprising: 
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4 A. receiving a resource-access request from the a client, said request 

5 including one or more chains of group credentials proving client non-membership in the 

6 nested group, 

7 B. validating the one or more chains of group credentials, and 

8 C. if the one or more chains of group credentials are determined to be valid, 

9 providing the requested access to the client. 



1 81 . (Original) The method of claim 80, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 82. (Original) The method of claim 81 , wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 83. (Original) The method of claim 81 , wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 84. (Original) The method of claim 80, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 85. (Original) The method of claim 84, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 86. (Original) The method of claim 84, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 



1 87. (Previously Presented) A method for operating a resource server on a computer 

2 network, said resource server configured to control access to one or more resources 

3 and provide access thereto to members of a nested group, the method comprising: 

4 A. means for receiving a resource-access request from a client, said request 

5 including one or more chains of group credentials proving client membership in the 

6 nested group, 

7 B. means for validating the one or more chains of group credentials, and 
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8 C. means for providing the requested access to the client if the one or more 

9 chains of group credentials are determined to be valid. 

1 88. (Original) The resource server of claim 87, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 89. (Original) The resource server of claim 88, wherein said proofs of group 

2 membership comprise one or more group membership certificates. 

1 90. (Original) The resource server of claim 88, wherein said proofs of group 

2 membership comprise one or more group membership lists. 

1 91 . (Original) The resource server of claim 87, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 92. (Original) The resource server of claim 91 , wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 

1 93. (Original) The resource server of claim 91 , wherein said proofs of group 

2 nonmembership comprise one or more group membership lists. 

1 94. (Previously Presented) A method for operating a resource server on a computer 

2 network, said resource server configured to control access to one or more resources 

3 and provide access thereto to non-members of a nested group, the method comprising: 

4 A. means for receiving a resource-access request from the a client, said 

5 request including one or more chains of group credentials proving client non- 

6 membership in the nested group, 

7 B. means for validating the one or more chains of group credentials, and 

8 C. means for providing the requested access to the client if the one or more 

9 chains of group credentials are determined to be valid. 
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1 95. (Original) The resource server of claim 94, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 96. (Original) The resource server of claim 95, wherein said proofs of group 

2 membership comprise one or more group membership certificates. 

1 97. (Original) The resource server of claim 95, wherein said proofs of group 

2 membership comprise one or more group membership lists. 

1 98. (Original) The resource server of claim 94, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 

1 99. (Original) The resource server of claim 98, wherein said proofs of group 

2 nonmembership comprise one or more group non-membership certificates. 

1 100. (Original) The resource server of claim 98, wherein said proofs of group non- 

2 membership comprise one or more group membership lists. 

1 101. (Currently Amended) A computer data signal embodied in a carrier wave and 

2 representing a sequence of instructions that , wh e n are read from the carrier wave and 

3 executed by a processor in a network device requesting one or more resources from a 

4 server, in which access to said resources is so controlled by said server so as to make 

5 them available to members of a nested group, conf i gures wherein the instructions, as 

6 executed by the processor, configure the network device to operate as a client device 

7 that: 

8 A. obtains one or more chains of group credentials that prove client 

9 membership in the nested group, and 

10 B. transmits to the server a request for one or more of the one or more 

11 resources, said request including the one or more chains of group credentials that prove 

12 membership in the nested group. 
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1 1 02. (Original) The computer data signal of claim 101, wherein one of said chains of 

2 group credentials comprise one or more proofs of group membership. 

1 1 03. (Original) The computer data signal of claim 1 02, wherein said proofs of group 

2 membership comprise one or more group membership certificates. 

1 1 04. (Original) The computer data signal of claim 1 02, wherein said proofs of group 

2 membership comprise one or more group membership lists. 

1 1 05. (Original) The computer data signal of claim 101, wherein one of said chains of 

2 group credentials comprise one or more proofs of group non-membership. 

1 1 06. (Original) The computer data signal of claim 1 05, wherein said proofs of group 

2 non-membership comprise one or more group non-membership certificates. 

1 107. (Original) The computer data signal of claim 105, wherein said proofs of group 

2 non-membership comprise one or more group membership lists. 

1 1 08. (Currently Amended) A computer data signal embodied in a carrier wave and 

2 representing a sequence of instructions that , wh e n are read from the carrier wave and 

3 executed by a processor in a network device requesting one or more resources from a 

4 server, in which access to said resources is so controlled by said server so as to make 

5 them available to non-members of a nested group, conf i gur e s wherein the instructions, 

6 as executed by the processor configure the network device to operate as a client 

7 device that: 

8 A. obtains one or more chains of group credentials that prove client non- 

9 membership in the nested group, and 

10 B. transmits to the server a request for one or more of the one or more 

1 1 resources, said request including the one or more chains of group credentials that prove 

12 non-membership in the nested group. 
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1 1 09. (Original) The computer data signal of claim 1 08, wherein one of said chains of 

2 group credentials comprise one or more proofs of group membership. 

1 110. (Original) The computer data signal of claim 1 09, wherein said proofs of group 

2 membership comprise one or more group membership certificates. 

1 111. (Original) The computer data signal of claim 1 09, wherein said proofs of group 

2 membership comprise one or more group membership lists. 

1 112. (Original) The computer data signal of claim 108, wherein one of said chains of 

2 group credentials comprise one or more proofs of group non-membership. 

1 113. (Original) The computer data signal of claim 1 1 2, wherein said proofs of group 

2 non-membership comprise one or more group non-membership certificates. 

1 114. (Original) The computer data signal of claim 112, wherein said proofs of group 

2 non-membership comprise one or more group membership lists. 

1 115. (Currently Amended) A computer data signal embodied in a carrier wave and 

2 representing a sequence of instructions that , when are read from the carrier wave and 

3 executed by a processor in a network device configured to control access to one or 

4 more resources and provide access thereto to members of a nested group, conf i gur e s 

5 wherein the instructions, as executed by the processor, configure the network device to 

6 operate as a resource server that: 

7 A. receives a resource-access request from the a client, said request 

8 including one or more chains of group credentials proving client membership in the 

9 nested group, 

10 B. validates the one or more chains of group credentials, and 

11 C. if the one or more chains of group credentials are determined to be valid, 

12 provides the requested access to the client. 
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1 116. (Original) The computer data signal of claim 115, wherein one of said chains of 

2 group credentials comprise one or more proofs of group membership. 

1 117. (Original) The computer data signal of claim 116, wherein said proofs of group 

2 membership comprise one or more group membership certificates. 

1 118. (Original) The computer data signal of claim 116, wherein said proofs of group 

2 membership comprise one or more group membership lists. 

1 119. (Original) The computer data signal of claim 115, wherein one of said chains of 

2 group credentials comprise one or more proofs of group non-membership. 

1 1 20. (Original) The computer data signal of claim 1 1 9, wherein said proofs of group 

2 non-membership comprise one or more group non-membership certificates. 

1 121. (Original) The computer data signal of claim 119, wherein said proofs of group 

2 non-membership comprise one or more group membership lists. 

1 122. (Currently Amended) A computer data signal embodied in a carrier wave and 

2 representing a sequence of instructions that , when are read from the carrier wave and 

3 executed by a processor in a network device configured to control access to one or 

4 more resources and provide access thereto to non-members of a nested group, 

5 configur e s wherein the instructions, as executed by the processor, configure the 

6 network device to operate as a resource server that: 

7 A. receives a resource-access request from the a client, said request 

8 including one or more chains of group credentials proving client non-membership in the 

9 nested group, 

10 B. validates the one or more chains of group credentials, and 

11 C. if the one or more chains of group credentials are determined to be valid, 

12 provides the requested access to the client. 
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1 123. (Original) The computer data signal of claim 122, wherein one of said chains of 

2 group credentials comprise one or more proofs of group membership. 

1 124. (Original) The computer data signal of claim 123, wherein said proofs of group 

2 membership comprise one or more group membership certificates. 

1 125. (Original) The computer data signal of claim 123, wherein said proofs of group 

2 membership comprise one or more group membership lists. 

1 126. (Original) The computer data signal of claim 122, wherein one of said chains of 

2 group credentials comprise one or more proofs of group non-membership. 

1 127. (Original) The computer data signal of claim 126, wherein said proofs of group 

2 non-membership comprise one or more group non-membership certificates. 

1 128. (Original) The computer data signal of claim 126, wherein said proofs of group 

2 non-membership comprise one or more group membership lists. 
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